[
https://issues.apache.org/jira/browse/GERONIMO-3084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12488590
]
David Jencks commented on GERONIMO-3084:
----------------------------------------
I have not looked into this AT ALL so my comment may be ridiculous but I wonder
if writing a jacc-based ActiveMQ authoriztion plugin would be the best solution
here? There would be some ActiveMQ permissions and we'd check them against the
ACC. I tried something similar for jetspeed portal permissions and it worked
fine.
> Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
> --------------------------------------------------------
>
> Key: GERONIMO-3084
> URL: https://issues.apache.org/jira/browse/GERONIMO-3084
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: ActiveMQ
> Affects Versions: 1.2
> Reporter: Aman Nanner
>
> I have reconfigured Geronimo so that the ActiveMQ broker loads its
> configuration from an external XML file. Within this file, I have specified
> a security configuration for my queues and topics. This is the file:
> ----
> {code}
> <beans>
> <!-- Allows us to use system properties as variables in this configuration
> file -->
> <bean
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>
> <broker brokerName="localhost" useJmx="true"
> xmlns="http://activemq.org/config/1.0";>
>
> <plugins>
> <!-- use JAAS to authenticate using the login.config file on the
> classpath to configure JAAS -->
> <jaasAuthenticationPlugin configuration="geronimo-admin" />
> <!-- lets configure a destination based authorization mechanism -->
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" read="admin" write="admin"
> admin="admin" />
> <authorizationEntry topic=">" read="admin" write="admin"
> admin="admin" />
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
>
> </broker>
> <!-- lets create a command agent to respond to message based admin commands
> on the ActiveMQ.Agent topic
> <commandAgent xmlns="http://activemq.org/config/1.0"/>-->
> </beans>
> {code}
> ----
> As can be seen, I am using the following JAAS login config domain:
> geronimo-admin. This is the standard login domain that gets its users and
> groups from properties files. However, when running the Geronimo server,
> JAAS cannot matchup the "admin" role specified in the ActiveMQ XML file with
> the "admin" role specified in the groups.properties file for the
> "geronimo-admin" login domain. The problem is that the ActiveMQ role is a
> principal of type {{org.apache.activemq.jaas.GroupPrincipal}}, while the
> Geronimo JAAS "admin" role is of the type
> {{org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal}}.
> Because these principals are different classes, they are not considered
> "equal" to each other by the {{equals()}} method on
> {{org.apache.activemq.jaas.GroupPrincipal}}. The stack trace where the error
> occurs is here:
> ----
> {code}
> Thread [ActiveMQ Transport: tcp:///192.168.12.196:2453] (Suspended)
> GeronimoGroupPrincipal.equals(Object) line: 42
> HashMap<K,V>.eq(Object, Object) line: 299
> HashMap<K,V>.containsKey(Object) line: 381
> HashSet<E>.contains(Object) line: 182
> HashSet<E>(AbstractCollection<E>).retainAll(Collection<?>) line: 392
>
> JaasAuthenticationBroker$JaasSecurityContext(SecurityContext).isInOneOf(Set)
> line: 43
> AuthorizationBroker.addDestination(ConnectionContext,
> ActiveMQDestination) line: 64
> BrokerService$2(MutableBrokerFilter).addDestination(ConnectionContext,
> ActiveMQDestination) line: 152
> ManagedTopicRegion(AbstractRegion).lookup(ConnectionContext,
> ActiveMQDestination) line: 316
> ManagedTopicRegion(AbstractRegion).send(ConnectionContext, Message)
> line: 291
> ManagedRegionBroker(RegionBroker).send(ConnectionContext, Message)
> line: 385
> TransactionBroker.send(ConnectionContext, Message) line: 193
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command,
> ConsumerId, ActiveMQMessage) line: 272
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command,
> ConsumerId) line: 237
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command)
> line: 232
> AdvisoryBroker.addConnection(ConnectionContext, ConnectionInfo) line:
> 73
>
> CompositeDestinationBroker(BrokerFilter).addConnection(ConnectionContext,
> ConnectionInfo) line: 82
> JaasAuthenticationBroker(BrokerFilter).addConnection(ConnectionContext,
> ConnectionInfo) line: 82
> JaasAuthenticationBroker.addConnection(ConnectionContext,
> ConnectionInfo) line: 90
> AuthorizationBroker(BrokerFilter).addConnection(ConnectionContext,
> ConnectionInfo) line: 82
> BrokerService$2(MutableBrokerFilter).addConnection(ConnectionContext,
> ConnectionInfo) line: 92
> TransportConnection.processAddConnection(ConnectionInfo) line: 706
> ConnectionInfo.visit(CommandVisitor) line: 121
> TransportConnection.service(Command) line: 294
> TransportConnection$1.onCommand(Object) line: 185
> MutexTransport(TransportFilter).onCommand(Object) line: 65
> WireFormatNegotiator.onCommand(Object) line: 133
> InactivityMonitor.onCommand(Object) line: 122
> TcpTransport(TransportSupport).doConsume(Object) line: 84
> TcpTransport.run() line: 137
> Thread.run() line: 595
> {code}
> ----
> Securing the ActiveMQ resources is an important component to securing a
> production server, so some way of resolving this issue should be determined.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
